{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-36748","assignerOrgId":"b87402ff-ae37-4194-9dae-31abdbd6f217","state":"PUBLISHED","assignerShortName":"DIVD","dateReserved":"2025-04-15T21:54:36.814Z","datePublished":"2025-12-13T08:16:23.523Z","dateUpdated":"2025-12-16T11:02:11.082Z"},"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"ShineLan-X","vendor":"Growatt","versions":[{"lessThanOrEqual":"3.6.0.2","status":"affected","version":"3.6.0.0","versionType":"semver"}]}],"credits":[{"lang":"en","type":"finder","value":"Hamid Rahmouni"},{"lang":"en","type":"analyst","value":"Victor Pasman"}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"ShineLan-X contains a stored cross site scripting (XSS) vulnerability in the local configuration web server. The JavaScript code snippet can be inserted in the communication module’s settings center. This may allow attackers to force a legitimate user’s browser’s JavaScript engine to run malicious code."}],"value":"ShineLan-X contains a stored cross site scripting (XSS) vulnerability in the local configuration web server. The JavaScript code snippet can be inserted in the communication module’s settings center. This may allow attackers to force a legitimate user’s browser’s JavaScript engine to run malicious code."}],"impacts":[{"capecId":"CAPEC-441","descriptions":[{"lang":"en","value":"CAPEC-441 Malicious Logic Insertion"}]}],"metrics":[{"cvssV4_0":{"Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","Safety":"NOT_DEFINED","attackComplexity":"LOW","attackRequirements":"NONE","attackVector":"NETWORK","baseScore":8.4,"baseSeverity":"HIGH","privilegesRequired":"LOW","providerUrgency":"NOT_DEFINED","subAvailabilityImpact":"LOW","subConfidentialityImpact":"HIGH","subIntegrityImpact":"HIGH","userInteraction":"NONE","valueDensity":"NOT_DEFINED","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:L/SC:H/SI:N/SA:L","version":"4.0","vulnAvailabilityImpact":"LOW","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"NONE","vulnerabilityResponseEffort":"NOT_DEFINED"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-79","description":"CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"b87402ff-ae37-4194-9dae-31abdbd6f217","shortName":"DIVD","dateUpdated":"2025-12-16T11:02:11.082Z"},"references":[{"tags":["third-party-advisory"],"url":"https://csirt.divd.nl/CVE-2025-36748/"}],"source":{"discovery":"EXTERNAL"},"title":"Stored Cross-Site Scripting (XSS) vulnerability in Growatt ShineLan-X","x_generator":{"engine":"Vulnogram 0.2.0"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2025-12-15T20:27:50.124259Z","id":"CVE-2025-36748","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-12-15T20:33:24.697Z"}}]}}